Learn How To Configure Your ISA Server 2004 To Block Ject Traffic

The first course of action taken against Ject must be protecting and patching all affected computers. Find out what you should know about Ject. Ject exploits the vulnerability that was addressed by Microsoft Security Bulletin MS04-013.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2004 to block malicious traffic created by malicious web servers and to possibly prevent computers on internal networks from additional infection.

By default, ISA Server 2000 is not capable of blocking this traffic without a special plug-in. For examples of these, see ISA Server 2000 Partners

The first section of this article contains technical details about Ject:

In addition, this article discusses the scenario where ISA Server can mitigate a Ject response:

This article also discusses:

Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user's own risk.

Ject traffic is carried in a standard HTTP response header, and thus uses port 80 for its attack vector. It's impractical to close this port as doing so will block all web site traffic.

# Port Number IP Protocol Known to Be Used by Ject





Internal hosts are vulnerable to this attack if:

  1. the internal host does not have the MS04-013 patch applied
  2. ISA Server 2004 is not configured to block Ject-formatted response headers

Default installations of ISA Server 2004 do not include the filter definition required to block Ject.

To help prevent Ject traffic through ISA Server 2004:

  • DO create a backup of your current Firewall Policies before making the recommended changes. This will allow you to revert to your previous configuration should adverse behavior occur as a result of them.
  • DO create an HTTP Filter "Signatures" setting that includes the definitions as described below for each access rule that uses the HTTP protocol.

A computer that has ISA Server 2004 installed is vulnerable to internal attack by the Ject worm if it has not had the MS04-013 patch applied.

Warning: because the ISA Server itself makes use of System policies for Internet access and System policies cannot use HTTP Filters, you cannot apply the same filter settings to system rules. For this reason, it is advised that you not use the ISA Server itself for web browsing.

If you are using an "allow all" policy for outbound traffic, you only need to apply the HTTP Filter changes to your "Allow all" rule. Otherwise, you will need to apply the HTTP Filter settings to any "Allow" Access Rule that includes the ISA Server-defined HTTP protocol.

You may also obtain a script from ISATools.org that will automate the following steps http://www.isatools.org/tools/block_ms04-013.vbs. This script will create the same policy rule changes as described below and will also create a backup of your current policies before changing them.

You should only add HTTP Filter settings to rules that are:
  1. Array Rules
  2. Access Rules
  3. Allow Rules
  4. HTTP is included in the Protocols column

Deny rules, even those that specify All Except HTTP cannot use HTTP Filter settings.

To block Ject response traffic:

  1. In ISA Management, expand <ISA Server name> and select Firewall Policy.
  2. Select the first rule that meets the requirements in Note above.
  3. Right-click the rule and select Configure HTTP.
  4. Select the Signatures tab and click Add.
  5. In the Name field, enter Download.Ject.
  6. In the Description field, enter "Blocks Malicious Location headers that attempt to exploit MS04-013".
  7. In the Search In drop-down list, select Response headers.
  8. In the HTTP Header field, enter Location.
  9. In the Signature field, enter C:\
  10. Click OK, Apply, then OK
  11. Repeat steps 3 through 10 for each rule that meets the requirements in Note above
  12. Click Apply in the ISA Management MMC immediately above the rules list
  13. Click OK when the Apply New Configuration dialog displays "Changes to the configuration were successfully applied"
You should verify that your existing policies still perform as they did before you added the Ject HTTP Filter changes.